[Security] Bump squizlabs/php_codesniffer from 2.6.0 to 2.9.1

[dependabot-preview]

Bumps squizlabs/php_codesniffer from 2.6.0 to 2.9.1. This update includes security fixes.

Vulnerabilities fixed

Sourced from The PHP Security Advisories Database.

Arbitrary shell execution

Affected versions: >=1.0.0, <2.0.0; >=2.0.0, <2.8.1

Release notes

Sourced from squizlabs/php_codesniffer's releases.

2.9.1

• Fixed bug #1442 : T_NULLABLE detection not working for nullable parameters and return type hints in some cases
• Fixed bug #1448 : Generic.Classes.OpeningBraceSameLine doesn't detect comment before opening brace
  • Thanks to Juliette Reinders Folmer for the patch

2.9.0

• Added Generic.Debug.ESLint sniff to run ESLint over JS files and report errors
  • Set eslint path using: phpcs --config-set eslint_path /path/to/eslint
  • Thanks to Ryan McCue for the contribution
• T_POW is now properly considered an arithmetic operator, and will be checked as such
  • Thanks to Juliette Reinders Folmer for the patch
• T_SPACESHIP and T_COALESCE are now properly considered comparison operators, and will be checked as such
  • Thanks to Juliette Reinders Folmer for the patch
• Generic.PHP.DisallowShortOpenTag now warns about possible short open tags even when short_open_tag is set to OFF
  • Thanks to Juliette Reinders Folmer for the patch
• Generic.WhiteSpace.DisallowTabIndent now finds and fixes inproper use of spaces anywhere inside the line indent
  • Previously, only the first part of the indent was used to determine the indent type
  • Thanks to Juliette Reinders Folmer for the patch
• PEAR.Commenting.ClassComment now supports checking of traits as well as classes and interfaces
  • Thanks to Juliette Reinders Folmer for the patch
• Squiz.Commenting.FunctionCommentThrowTag now supports re-throwing exceptions (request #946)
  • Thanks to Samuel Levy for the patch
• Squiz.PHP.DisallowMultipleAssignments now ignores PHP4-style member var assignments
  • Thanks to Juliette Reinders Folmer for the patch
• Squiz.WhiteSpace.FunctionSpacing now ignores spacing above functions when they are preceded by inline comments
  • Stops conflicts between this sniff and comment spacing sniffs
• Squiz.WhiteSpace.OperatorSpacing no longer checks the equal sign in declare statements
  • Thanks to Juliette Reinders Folmer for the patch
• Added missing error codes for a couple of sniffs so they can now be customised as normal
• Fixed bug #1266 : PEAR.WhiteSpace.ScopeClosingBrace can throw an error while fixing mixed PHP/HTML
• Fixed bug #1364 : Yield From values are not recognised as returned values in Squiz FunctionComment sniff
• Fixed bug #1373 : Error in tab expansion results in white-space of incorrect size
  • Thanks to Mark Clements for the patch
• Fixed bug #1381 : Tokenizer: derefencing incorrectly identified as short array
• Fixed bug #1387 : Squiz.ControlStructures.ControlSignature does not handle alt syntax when checking space after closing brace
• Fixed bug #1392 : Scope indent calculated incorrectly when using array destructuring
• Fixed bug #1394 : integer type hints appearing as TypeHintMissing instead of ScalarTypeHintMissing
  • PHP 7 type hints were also being shown when run under PHP 5 in some cases
• Fixed bug #1405 : Squiz.WhiteSpace.ScopeClosingBrace fails to fix closing brace within indented PHP tags
• Fixed bug #1421 : Ternaries used in constant scalar expression for param default misidentified by tokenizer
• Fixed bug #1431 : PHPCBF can't fix short open tags when they are not followed by a space
  • Thanks to Gonçalo Queirós for the patch
• Fixed bug #1432 : PHPCBF can make invalid fixes to inline JS control structures that make use of JS objects

2.8.1

Security Advisory

• This release contains a fix for a security advisory related to the improper handling of shell commands
  • Uses of shell_exec() and exec() were not escaping filenames and configuration settings in most cases
  • A properly crafted filename or configuration option would allow for arbitrary code execution when using some features
  • All users are encouraged to upgrade to this version, especially if you are checking 3rd-party code

... (truncated)

Commits

• dcbed10 Prepare for 2.9.1 release
• ee4bc19 Changelog for #1448
• 809ac85 Merge branch 'feature/2.x-generic-classbracesameline-minor-fix' of https://gi...
• 6e6a3ed Fixed bug #1442 : T_NULLABLE detection not working for nullable parameters an...
• 8041fc5 Generic.Classes.OpeningBraceSameLine: Minor tweak for edge case scenario.
• b940fb7 Fixed release dates
• f7dfecb Prepare for 2.9.0 release
• 2a6c145 Fixed bug #1266 : PEAR.WhiteSpace.ScopeClosingBrace can throw an error while ...
• 1336d8b Fixed bug #1432 : PHPCBF can make invalid fixes to inline JS control structur...
• 937a382 Changelog for #1431
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

If all status checks pass Dependabot will automatically merge this pull request.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #7.